Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Platform Out-of-the-Box Policies

NetWitness Platform Out-of-the-Box PoliciesNetWitness Platform Out-of-the-Box Policies

The following table lists the NetWitness Out-of-the-Box Policies with the rules defined for each policy.

You can perform the following tasks on any of these policies:

  • Change service and group assignments.
  • Disable or enable policies.

You cannot perform the following tasks on any of these policies:

  • Delete them.
  • Edit Policy names.

Note: Additional information about the Out-of-the-Box Policies can be found in the User Interface under
Health & Wellness > Policies.

  • Policy Name:
  • Rule Name: Communication Failure Between Master NetWitness Server Host and a Remote Host
  • Alarm Triggered: Host is down, Network is down, Message Broker is Down, or Invalid or missing security certificates for 10 minutes or more.

  • Policy Name: NetWitness Server Monitoring Policy
  • Rule Name: Critical Usage on Rabbitmq Message Broker Filesystem
  • Alarm Triggered: For var/lib/rabbitmq, Mounted Filesystem Disk Usage goes over 75%.

  • Policy Name: Filesystem is Full
  • Rule Name: Overall Mounted Filesystem Disk Usage reaches 100%.

  • Policy Name: High Filesystem Usage
  • Rule Name: Overall Mounted Filesystem Disk Usage goes over 95%.

  • Policy Name: High System Swap Utilization
  • Rule Name: Swap Utilization goes under 5 % for 5 minutes or more.

  • Policy Name: High Usage on Rabbitmq Message Broker Filesystem
  • Rule Name: Mounted Filesystem Disk Usage for var/lib/rabbitmq goes over 60%.

  • Policy Name: Host Unreachable
  • Rule Name: Host down.

  • Policy Name: LogCollector Event Processor Exchange Bindings Status
  • Rule Name: Issue with Log Collection Message Broker Queues for 10 minutes or more.

  • Policy Name: LogCollector Event Processor Queue with No Bindings
  • Rule Name: Issue with Log Collection Message Broker Queues for 10 minutes or more.

  • Policy Name: LogCollector Event Processor Queue with No Consumers
  • Rule Name: Issue with Log Collection Message Broker Queues for 10 minutes or more.

  • Policy Name: Power Supply Failure
  • Rule Name: Host not receiving power.

  • Policy Name: RAID Logical Drive Degraded
  • Rule Name: For Raid Logical Drive, Drive State equals Degraded or Partially Degraded.

  • Policy Name: RAID Logical Drive Failed
  • Rule Name: For Raid Logical Drive, Logical Drive State equals Offline, Failed, or Unknown.

  • Policy Name: RAID Logical Drive Rebuilding
  • Rule Name: For Raid Logical Drive, Logical Drive State equals Rebuild.

  • Policy Name: RAID Physical Drive Failed
  • Rule Name: For Raid Physical Drive, Physical Drive State does not equal Online, Online Spun Up, or Hotspare.

  • Policy Name: RAID Physical Drive Failure Predicted
  • Rule Name: For Raid Physical Drive, Physical Drive Predictive Failure Count is greater than 1.

  • Policy Name: RAID Physical Drive Rebuilding
  • Rule Name: For Raid Physical Drive, Physical
    Drive State equals Rebuild.

  • Policy Name: RAID Physical Drive Unconfigured
  • Rule Name: For Raid Physical Drive, Physical
    Drive State contains Unconfigured (good).

  • Policy Name: SD Card Failure
  • Rule Name: SD Card Status does not equal ok.

  • Policy Name: NetWitness Archiver
    ​Monitoring Policy
  • Rule Name: Archiver Aggregation Stopped
  • Alarm Triggered: Archiver Status does not equal started.

  • Policy Name: Archiver Database(s) Not Open
  • Rule Name: Database Status does not equal opened.

  • Policy Name: Archiver Not Consuming From Service
  • Rule Name: Devices Status does not equal consuming.

  • Policy Name: Archiver Service in Bad State
  • Rule Name: Service State does not equal started or ready.

  • Policy Name: Archiver Service Stopped
  • Rule Name: Server Status does not equal started.

  • Policy Name: NetWitness Broker Monitoring Policy
  • Rule Name: Broker >5 Pending Queries
  • Alarm Triggered: Queries Pending greater than or equal to 5 for 10 minutes or more.

  • Policy Name: Broker Aggregation Stopped
  • Rule Name: Broker Status does not equal started.

  • Policy Name: Broker Not Consuming From Service
  • Rule Name: Devices Status does not equal consuming.

  • Policy Name: Broker Service in Bad State
  • Rule Name: Service State does not equal started or ready.

  • Policy Name: Broker Service Stopped
  • Rule Name: Server Status does not equal started.

  • Policy Name: Broker Session Rate Zero
  • Rule Name: Session Rate (current) equals 0 for 2 minutes or more.

  • Policy Name: NetWitness
    Concentrator Monitoring Policy



  • Rule Name: Concentrator >5 Pending Queries
  • Alarm Triggered: Queries Pending greater than or equal to 5 for 10 minutes or more.

  • Policy Name: Concentrator Aggregation Behind >100K Sessions
  • Rule Name: Devices Sessions Behind is greater than or equal to 100000 for 1 minute or more.

  • Policy Name: Concentrator Aggregation Behind >1M Sessions
  • Rule Name: Devices Sessions Behind is greater than or equal to 1000000 for 1 minute or more.

  • Policy Name: Concentrator Aggregation Behind >50M Sessions
  • Rule Name: Devices Sessions Behind is greater than or equal to 50000000 for 1 minute or more.

  • Policy Name: Concentrator Aggregation Stopped
  • Rule Name: Broker Status does not equal started.

  • Policy Name: Concentrator Database(s) Not Open
  • Rule Name: Database Status does not equal opened.

  • Policy Name: Concentrator Meta Rate Zero
  • Rule Name: Concentrator Meta Rate (current) equals 0 for 2 minutes or more.

  • Policy Name: Concentrator Not Consuming From Service
  • Rule Name: Devices Status does not equal consuming.

  • Policy Name: Concentrator Service in Bad State
  • Rule Name: Service State does not equal started or ready.

  • Policy Name: Concentrator Service Stopped
  • Rule Name: Server Status does not equal started.

  • Policy Name: NetWitness Decoder
    Monitoring Policy
  • Rule Name: Decoder Capture Not Started
  • Alarm Triggered: Capture Status does not equal started.

  • Policy Name: Decoder Capture Rate Zero
  • Rule Name: Capture Rate (current) equals 0 for 2 minutes or more.

  • Policy Name: Decoder Database Not Open
  • Rule Name: Database Status does not equal opened.

  • Policy Name: Decoder Dropping >1% of Packets
  • Rule Name: Capture Packets Percent Dropped (current) is greater than or equal to 1%.

  • Policy Name: Decoder Dropping >10% of Packets
  • Rule Name: Capture Packets Percent Dropped (current) is greater than or equal to 10%.

  • Policy Name: Decoder Dropping >5% of Packets
  • Rule Name: Capture Packets Percent Dropped (current) is greater than or equal to 5%.

  • Policy Name: Decoder Packet Capture Pool Depleted
  • Rule Name: Packet Capture Queue equals 0 for 2 minutes or more.

  • Policy Name: Decoder Service in Bad State
  • Rule Name: Service State does not equal started or ready.

  • Policy Name: Decoder Service Stopped
  • Rule Name: Server Status does not equal started.

  • Policy Name: NetWitness Event Steam Analysis
    Monitoring Policy



  • Rule Name: ESA Overall Memory Utilization > 85%
  • Alarm Triggered: Total ESA Memory Usage % is greater than or equal to 85 %.

  • Policy Name: ESA Overall Memory Utilization > 95%
  • Rule Name: Total ESA Memory Usage % is greater than or equal to 95 %.

  • Policy Name: ESA Service Stopped
  • Rule Name: Server Status does not equal started.

  • Policy Name: ESA Trial Rules Disabled
  • Rule Name: Trial Rules Status does not equal enabled.

  • Policy Name: NetWitness IPDB
    Extractor
    Monitoring
    Policy
  • Rule Name: IPDB Extractor Service in Bad State
  • Alarm Triggered: Service State does not equal started or ready.

  • Policy Name: IPDB Extractor Service Stopped
  • Rule Name: Server Status does not equal started.

  • Policy Name: NetWitness Incident Management
    Monitoring
    Policy
  • Rule Name: Incident Management Service Stopped
  • Alarm Triggered: Server Status does not equal started.

  • Policy Name: NetWitness Log Collector
    Monitoring
    Policy
  • Rule Name: Log Collector Service Stopped
  • Alarm Triggered: Server Status does not equal started.

  • Policy Name: Log Decoder Event Queue > 50% Full
  • Rule Name: Number of events currently in the queue is using 50% or more of the queue.

  • Policy Name: Log Decoder Event Queue > 80% Full
  • Rule Name: Number of events currently in the queue is using 80% or more of the queue.

  • Policy Name: Log Collector Service in Bad State
  • Rule Name: Service State does not equal started or ready.

  • Policy Name: NetWitness Log Decoder
    Monitoring
    Policy
  • Rule Name: Decoder Dropping>10% of Packets
  • Alarm Triggered: Capture Packets Percent Dropped (current) is greater than or equal to 10%

  • Policy Name: Log Capture Not Started
  • Rule Name: Capture Status does not equal started.

  • Policy Name: Log Decoder Capture Rate Zero
  • Rule Name: Capture Rate (current) equals 0 for 2 minutes or more.

  • Policy Name: Log Decoder Database Not Open
  • Rule Name: Database Status does not equal opened.

  • Policy Name: Log Decoder Dropping >1% of Logs
  • Rule Name: Capture Packets Percent Dropped (current) is greater than or equal to 1%.

  • Policy Name: Log Decoder Dropping >5% of Logs
  • Rule Name: Capture Packets Percent Dropped (current) is greater than or equal to 5%.

  • Policy Name: Log Decoder Packet Capture Pool Depleted
  • Rule Name: Packet Capture Queue equals 0 for 2 minutes or more.

  • Policy Name: Log Decoder Service Stopped
  • Rule Name: Server Status does not equal started.

  • Policy Name: Log Decoder Service in Bad State
  • Rule Name: Service State does not equal started or ready.

  • Policy Name: NetWitness Malware Analysis
    Monitoring
    Policy
  • Rule Name: Malware Analysis Service Stopped
  • Alarm Triggered: Server Status does not equal started.

  • Policy Name: NetWitness Reporting Engine Monitoring
    Policy
  • Rule Name: Reporting Engine Alerts Critical Utilization
  • Alarm Triggered: Alerts Utilization is greater than or equal to 10 for 5 minutes or more.

  • Policy Name: Reporting Engine Available Disk <10%
  • Rule Name: Available disk space is less than 10%.

  • Policy Name: Reporting Engine Available Disk <5%
  • Rule Name: Available disk space is less than or equal to 5%.

  • Policy Name: Reporting Engine Charts Critical Utilization
  • Rule Name: Charts Utilization is greater than or equal to 10 for 5 minutes or more.

  • Policy Name: Reporting Engine Rules Critical Utilization
  • Rule Name: Rules Utilization is greater than or equal to 10 for 5 minutes or more.

  • Policy Name: Reporting Engine Schedule Task Pool Critical Utilization
  • Rule Name: Schedule Task Pool Utilization is greater than or equal to 10 for 15 minutes or more.

  • Policy Name: Reporting Engine Service Stopped
  • Rule Name: Server Status does not equal started.

  • Policy Name: Reporting Engine Shared Task Critical Utilization
  • Rule Name: Shared Task Pool Utilization is greater than or equal to 10 for 5 minutes or more.